Third-Party Supplier Register
This article goes over what are third-party suppliers, and why it is important to register them in Copla Registry.
Topics covered in this page:
What Is a Third Party
A third party is any external individual, vendor, or organization that operates outside your company’s internal structure but provides services, products, or operational support.
This includes (but is not limited to):
-
Technology providers and SaaS platforms
-
Consultants and contractors
-
Hosting services or cloud providers
-
Outsourced business partners
-
Any supplier with whom your organization has a formal or informal working relationship
Why It Matters
Some third parties:
-
Access or process sensitive data
-
Integrate with internal systems
-
Support critical business operations
Because of this, it’s essential to:
-
Clearly identify all third parties
-
Understand the scope of services they provide
-
Assess how they interact with your systems, data, or infrastructure
Purpose Of The Register
The Third-Party Supplier Register is designed to:
-
Provide centralized visibility into external dependencies
-
Support risk assessments and compliance efforts
-
Improve accountability and supplier oversight
Please complete the register with accurate, up-to-date information for each third party your team engages with.
Examples of Common Third-Party Vendors
|
# |
Vendor Type |
Vendor Name |
Services Provided |
|
1 |
SaaS Platform |
Atlassian Pty Ltd |
Project management and collaboration (Jira, Confluence) |
|
2 |
Cloud Infrastructure |
Amazon Web Services EMEA SARL |
Cloud computing, storage, networking |
|
3 |
Accounting/Finance |
UAB http://B1.lt |
Accounting, tax and payroll services |
|
4 |
Legal Services |
Sorainen |
Corporate legal and compliance advisory |
|
5 |
Software Development |
UAB Devbridge |
Custom application development and maintenance |
|
6 |
CRM & Sales Automation |
Salesforce Ireland Ltd |
Customer relationship management and sales tracking |
|
7 |
IT Helpdesk & Support |
UAB ITSupportas |
End-user support and IT troubleshooting services |
|
8 |
HR & Recruitment |
UAB PeopleLink |
Recruitment and hiring services |
|
9 |
Security Testing |
UAB CyberTest |
Penetration testing and vulnerability assessments |
|
10 |
Email & Productivity Suite |
Google Ireland Ltd |
Email, document storage, collaboration (Google Workspace) |
|
11 |
Payment Processing |
Stripe Payments Europe, Ltd |
Online payments and billing infrastructure |
|
12 |
Code Repository |
GitHub, Inc. |
Source code repository, CI/CD integration |
|
13 |
Marketing Automation |
Mailchimp |
Email marketing and customer engagement automation |
|
14 |
Domain & DNS Management |
GoDaddy Inc. |
Domain registration, DNS configuration |
|
15 |
Data Analytics |
Looker (Google) |
Business intelligence and data visualization |
|
16 |
Time Tracking |
Toggl OÜ |
Employee time tracking and productivity tools |
|
17 |
Background Checks |
First Advantage |
Employee screening and criminal record verification |
|
18 |
E-Signature |
DocuSign Inc. |
Digital contract signing and workflow management |
|
19 |
Learning Management System |
Coursera, Inc. |
Training, awareness, and employee learning platforms |
|
20 |
Backup & Disaster Recovery |
Veeam Software |
Backup, replication, and disaster recovery solutions |
Step-by-Step Instructions
-
Accessing the Register
-
Log in to the system and navigate to the “Dynamic Registers” section.
-
Click on “Register List”.
-
Select “Third-Party Supplier Register” from the list.
-
-
Understanding the Supplier List
-
The register includes pre-filled data fields to guide what information must be entered for each third-party supplier.
-
If a supplier type is not used, delete the corresponding row.
-
If a supplier is in use, update the fields with:
-
The actual supplier name
-
Relevant supporting details (e.g. service type, contact info, data access level)
-
-
-
-
Supplier Identification
-
Assign a unique entry number in the Nr. column.
-
In the Vendor Name field, enter the supplier’s exact legal name (as shown in contracts or official documentation).
-
Column-by-Column Completion Guide
|
Column |
Description |
|---|---|
|
Nr. |
Sequential number of the vendor entry. |
|
Vendor Name |
Full legal name of the third-party vendor. |
|
Vendor Contact Person, Contact’s Details |
Name, email, phone, and role of the primary contact person at the vendor. |
|
Services/Products Provided |
Short description of services or products procured from the vendor. |
|
Information Shared |
List the types of information shared with the vendor (e.g., documents, audit reports, credentials). |
|
Information Classification |
Classification level of shared information (e.g., Confidential, Internal Use). |
|
Contract Start Date |
Date when the agreement with the vendor begins. |
|
Contract End Date |
Date when the agreement with the vendor ends. |
|
Security Clauses |
Summary of security-related clauses included in the contract (e.g., access controls, data protection). |
|
Access Rights Provided |
Systems, platforms, or data the vendor is allowed to access. |
|
Access Control Methods |
Technical or procedural methods used to control access (e.g., VPN, MFA). |
|
Risk Level |
Risk classification of the vendor (e.g., High, Medium, Low). |
|
Third-party Certifications |
Any certifications held by the vendor (e.g., ISO 27001:2022). |
|
Risk Mitigation Measures |
Measures in place to manage vendor-related risks (e.g., SLAs, NDAs). |
|
Service Level Agreements (SLAs) |
Any relevant service level commitments or guarantees. |
|
Compliance Requirements |
Regulatory or legal frameworks the vendor must comply with (e.g., DORA, NIS2). |
|
Monitoring and Audit Schedule |
How and how often the vendor is monitored or audited (e.g., annually). |
|
Security Incident Reporting |
Agreed process for incident reporting (e.g., “Incident Portal”). |
|
Review Date |
Date of the last internal review or audit of the vendor. |
|
Next Review Date |
Date scheduled for the next vendor review. |